What is SSH port forwarding,
also known as SSH tunneling
?
SSH port forwarding is a mechanism in SSH for tunneling application ports from the client machine to the server machine, or vice versa. It can be used to add encryption to legacy applications, go through firewalls, and some system administrators and IT professionals use it to open backdoors to the internal network from their home machines. It can also be abused by hackers and malware to open access from the Internet to the internal network. See the SSH tunneling page for a more comprehensive overview.
Local
forwarding Local
forwarding is used to forward a port from the client computer to the server computer. Basically, the SSH client listens for connections on a configured port, and when it receives a connection, it tunnels the connection to an SSH server. The server connects to a configured destination port, possibly on a different machine than the SSH server.
Typical uses for local port forwarding include:
-
Tunneling sessions and file transfers
-
service on an internal network from the outside Connecting
- Internet
through hop servers Connecting to a
to a remote file share over the
Quite a few organizations for all incoming SSH access through a single hop server. The server can be a standard Linux/Unix box, usually with some additional hardening, intrusion detection, and/or logging, or it can be a commercial hop server solution.
Many hop servers allow forwarding of incoming ports, once the connection has been authenticated. Such port forwarding is convenient, as it allows tech-savvy users to use internal resources quite transparently. For example, they can forward a port on their local machine to the corporate intranet web server, the IMAP port of an internal mail server, ports 445 and 139 on a local file server, a printer, a version control repository, or almost any other system on the internal network. Frequently, the port is tunneled to an SSH port on an internal machine.
In
OpenSSH, local port forwarding is configured using the
-L: ssh -L 80:intra.example.com:80 option gw.example.com
This example opens a connection to the hop server gw.example.com and forwards any connections to port 80 on the local computer to port 80 on the intra.example.com
.
By default, anyone (even on different machines) can connect to the specified port on the SSH client machine. However, this can be restricted to programs on the same host by providing a binding address
: ssh -L 127.0.0.1:80:intra.example.com:80
gw.example.com The LocalForward option in the OpenSSH client configuration file can be used to configure forwarding without having to specify it on the command line. Remote forwarding In OpenSSH, remote SSH port forwards
are specified using the -R option. For example
: ssh -R 8080:localhost:80 public.example.com This allows anyone on the remote server to
connect to TCP port 8080 on the remote server. The connection will then be piped back to the client host, and then the client will make a TCP connection to port 80 on localhost. Any other host name or IP address can be used instead of localhost to specify the host to connect to.
This particular example would be useful for giving someone on the outside access to an internal web server. Or expose an internal web application to the public Internet. This could be done by an employee working from home, or by an attacker.
By default, OpenSSH only allows you to connect to remote forwarded ports from the server host. However, the GatewayPorts option in the server configuration file sshd_config can be used to control this. The following alternatives are possible:
GatewayPorts does not
This prevents connection to forwarded ports from outside the server computer.
GatewayPorts yes
This allows anyone to connect to forwarded ports. If the server is on the public Internet, any Internet user can connect to the port.
GatewayPorts clientspecified
This means that the client can specify an IP address from which connections to the port are allowed. The syntax for this is
: ssh -R 52.194.1.73:8080:localhost:80 host147.aws.example.com
In this example, only connections from IP address 52.194.1.73 to port 8080 are allowed.
OpenSSH also allows the forwarded remote port to be specified as 0. In this case, the server will dynamically assign a port and report it to the client. When used with the -O forwarding option, the client will print the port number assigned to the standard output.
Opening backdoors in the enterprise Remote forwarding of SSH ports is commonly used by employees to open
backdoors in the company
. For example, the employee can set up get a free tier server from Amazon AWS and log in from the office to that server, specifying remote forwarding from a server port to some server or application on the internal enterprise network. Multiple remote forwards can be specified to open access to more than one application.
The employee would also set GatewayPorts yes on the server (most employees don’t have fixed IP addresses at home, so they can’t restrict the IP address).
For example, the following command opens access to an internal Postgres database on port 5432 and an internal SSH port on port 2222.
ssh -r 2222:d76767.nyc.example.com:22 -r 5432:postgres3.nyc.example.com:5432 aws4.mydomain.net
Server-side
configuration
The AllowTcpForwarding option in the OpenSSH server configuration file must be enabled on the server to allow port forwarding. By default, forwarding is allowed. The possible values for this option are yes or all to allow all TCP forwarding, no to prevent all TCP forwarding, local to allow local forwarding, and remote to allow remote forwarding.
Another option of interest is AllowStreamLocalForwarding, which can be used to forward Unix domain sockets. Allows the same values as AllowTcpForwarding. The default value is yes.
For example:
Remote AllowTcpForwarding AllowStreamLocalForwarding does not
The GatewayPorts configuration setting described above also affects remote port forwarding. Possible values were no (only local connections are allowed from the server host; default), yes (anyone on the Internet can connect to remote forwarded ports), and clientspecified (client can specify an IP address that can connect, anyone can do so if not specified).
How to prevent SSH port forwarding
from bypassing firewalls
We recommend that port forwarding be expressly disabled when it is not required. Leaving port forwarding enabled can expose your organization to security risks and backdoors. For example, if a server intended to provide only SFTP file transfers allows port forwarding, those forwards could be used to gain unwanted access to the internal network from the intranet.
The problem is that, in practice, port forwarding can only be prevented by a server or firewall. A company cannot control all servers on the Internet. Firewall-based control can also be tricky, as most organizations have servers on Amazon AWS and other cloud services, and those servers are typically accessed using SSH.
SSH
‘s SSH’s Tectia SSH Client/Server solution is a commercial solution that can provide secure application tunneling along with SFTP and secure remote access for businesses.
More
-
information Learn more about
SSH
tunneling